I agree with you that the universal login approach may impose some overhead in terms of then having to manage the login page interface separately, but even with just a single application it has some benefits. I’m not saying that you can’t implement embedded login in a secure way, but the problem with embedded is that your own application will still have to handle user credentials and just that by itself is a huge thing.
For example, lets suppose the application suffers from an XSS vulnerability; the impact of that would be bad in either cases, however, it could be argued that the possibility of exposing an end-user password is always greater than exposing tokens and if you implement embedded login then a vulnerability could lead to actual password being exposed.
In conclusion, I would personally prefer the overhead of managing a separate deployment pipeline so that the login user interface is integrated through universal login instead of having to handle user credentials (passwords) in my client applications.